Add plugin type for ServerAttestor #58
Conversation
Signed-off-by: Kevin Fox <[email protected]>
kfox1111
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
|
|
||
| message GetTrustBundleResponse { | ||
| spire.plugin.types.Bundle bundle = 1; | ||
| bool insecure_bootstrap = 2; |
There was a problem hiding this comment.
How is the insecure_bootstrap intended to be used? Doesn't the agent not verify the server in the case of insecure bootstrapping? Would it even reach out to these plugins in that case?
There was a problem hiding this comment.
To implement:
plugins {
TrustBundleSource "insecure" {}
}
The plugin would just have a GetTrustBundle function that does:
return nil, true
The plugin would be able to determine if it wanted to insecurely bootstrap and pass that on to be done. Doing it at the plugin level would allow a policy plugin to be written that does some logic before falling back to an insecure bootstrap.
There was a problem hiding this comment.
Basically, the plugin would get called right before attestation to determine what to do (https://github.com/kfox1111/spire/blob/rebootstrap/pkg/agent/agent.go#L129-L132)
BootstrapTrustBundle, InsecureBootstrap, err = a.c.TrustBundleSources.GetBundle()
}
if err == nil {
as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor, BootstrapTrustBundle, InsecureBootstrap)
proto/spire/plugin/agent/trustbundlesource/v1/trustbundlesource.proto
Outdated
Show resolved
Hide resolved
| // Hint for which type of action this trust bundle will be used for | ||
| Use use_hint = 2; | ||
|
|
||
| // Optional server url that is being used with the retrieved bundle | ||
| string server_url = 3; | ||
|
|
||
| // How many connection attempts to the server have been made so far | ||
| int32 connection_attempts = 4; | ||
|
|
||
| // When was (re)bootstrapping started | ||
| google.protobuf.Timestamp starttime = 5; |
There was a problem hiding this comment.
How is the plugin using this information? Some of these seem like plugin specific configuration, which can be done through the plugin data config, for example the server url which wouldn't be used for a file based bundle source.
There was a problem hiding this comment.
Its metadata that plugin might want to use in its calculation for returning trust bundles / insecure mode, but it doesn't have to.
For example, a plugin that just reads from a file can ignore all of this.
A policy plugin may want to look at these things to determine, pull from source A if its attempted less then 10 connections, then use source B. Or, if now() > starttime + 10m, use source C. Or another plugin may call out to an external url to do the logic, and pass along trustdomain/server_url info so one external service could handle lots of different instances. (some kind of trust bundle as a service thing)
Signed-off-by: Kevin Fox <[email protected]>
kfox1111
changed the title
No description provided.